Upload
prudence-phelps
View
213
Download
0
Embed Size (px)
Citation preview
Forefront Identity Manager 2010:In ProductionJoe Schulman Adrienne WuProgram Manager Program ManagerMicrosoft Corporation Microsoft Corporation
SESSION CODE: SIA319
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
Woodgrove BankFictitious Organization
15,000+ employees19 IT Specialists3 Continents
Self-service Password ResetGroup ManagementProvisioning
Today’s GoalsHow do I manage FIM in production?
Change managementDisaster recoveryMonitor availabilityRespond to helpdesk tickets
How do I measure and demonstrate value of FIM?
General FIM ResourcesMicrosoft Supported – TechNet
http://technet.microsoft.com/en-us/library/ee621258(WS.10).aspx http://technet.microsoft.com/en-us/forefront/default.aspx
Communityhttp://social.technet.microsoft.com/Forums/en-US/ilm2/threads https://connect.microsoft.com/site433
The basics of Change Management in FIMSeparate pilot environment from production
Make all changes in pilot and test in pilot
Migrate changes to production using PowerShell scripts
Philosophy of FIM Change ManagementFIM’s value is automating changes in connected systems.
Automation or “policy” is customer-specific.Most connected systems do not have “Undo” or “Recycle Bin”Getting policy wrong means unintended consequences
We don’t want you accidentally to automate de-provisioning all employees!
We recommend separate lab environment with representative topologyUse config migration process to push changes into production
ConsiderationsDo not
Delete out of box objectsRename out of box objectsMake changes in productionModify the intermediate XML
DoFollow the published guide
The basics of FIM disaster recoverySQL, SQL, SQL!
Backup and restore FIM Service and Synchronization Service SQL in lock-step
See the guide for more details
Test your backups
Recommended FIM Backup Schedule
FIM component Full backup frequency Incremental backup frequency
FIM Service Database Daily In accordance with organizational policies.*
FIM Service .NET Application Configuration File
Every time after installing or changing the configuration file
Same as full backup frequency
FIM Service Registry Key Values
Every time after installing or changing the registry key values
Same as full backup frequency
* If incremental backup is not planned, the database should be set to simple recovery mode.
Recommended FIM Backup Schedule
FIM component Full backup frequency Incremental backup frequency
FIM Synchronization Service Database Daily In accordance with
organizational policiesFIM Synchronization Service Synchronization Configuration
Every time after installing or changing the management agent configuration
Same as full backup frequency
FIM Synchronization Encryption Keys
Every time after installing or changing encryption key values
Same as full backup frequency
FIM Portal Only when you change the web.config file
Same as full backup frequency
Testing backupsFailing to test a backup can be as bad as not having a backup
Define a test plan with a couple core scenariosEnd users can join groupsEnd users can approve requestsEnd users can reset passwordsChanges in FIM flow out to connected systems
The basics of Monitoring AvailabilityPrioritize end user scenarios first
Use Operations Manager 2007
Use existing MPs for SQL and Windows Server
End user availabilityCan end users accomplish self-service?
This is the primary monitoring scenario for most people
Use Operations Manager 2007 Web Application MonitorSee the MP Guide for a synthetic transaction to configure
Supplement Web App Monitor with FIM MP MonitorsE.g. Monitor FIM service
SQL AvailabilityE.g. Does SQL have enough disk space?
SQL failures = FIM failures
FIM MP does not provide monitors for SQL
Use the SQL MP for monitoring SQL in production
Sync AvailabilityDid my Run Profile execute?
The FIM MP monitors for Sync Service configuration failuresE.g. Were there errors during a sync?
Need to tune the MP to meet your specific sync scenario.Need to add instrumentation to way you execute run profiles.
The basics of troubleshootingHelpdesk tickets still arise
“Can’t reset my password”“Can’t access the portal”“Can’t approve this request”
Refer to the troubleshooting guideRequest resources store audit and troubleshootingDon’t rely on the management pack for troubleshooting
Five Diagnostic Techniques
1. Requests2. MPR Explorer3. SOAP Faults4. Event Viewer5. Diagnostic Tracing
* At the end of the deck there are slides that answer what these techniques are, when to use them, and why they are useful.
PowerShell as a troubleshooting aidSometimes it’s easier to read and write “raw” views of FIM resources
Reset a value which isn’t exposed in the UI
PowerShell provides a supported web service client
See the example scripts on FIM ScriptBox
The basics of measuring Value for FIMFIM provides a lot of value in many different ways
Certificate managementAutomated provisioningCriteria-based (dynamic) groupsSelf-service identity management
Measuring value is environment-specific, but here are pointers
Measuring value for self-service scenariosEnd users calling helpdesk costs ~$30 per password reset
Value of self-service is the number of reduced helpdesk calls
Report on the number of self-service password resetsNot a feature in FIM today; consider partner like Omada to helpUse this pattern to measure value of group management and approvals
XPath Queries for Password Reset Search ScopeAll Password Reset Requests
All Completed Password Reset Requests
/Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and Operation='Put']
/Request[Creator='b0b36673-d43b-4cfa-a7a2-aff14fd90522' and RequestStatus=‘Completed']
Measuring value for automated provisioningCopying and pasting Users in Active Directory is prone to error
Value of automation based on policy is always-in-compliance users
Report the number of changes to user resources which you no longer have to track manually
Similar pattern to self-service password reset activity
Resources mentioned in this presentationDisaster Recovery
http://technet.microsoft.com/en-us/library/fim-2010-backup-and-restore-guide(WS.10).aspx
Config Migrationhttp://technet.microsoft.com/en-us/library/ee534906(WS.10).aspx
Troubleshooting Guidehttp://technet.microsoft.com/en-us/library/ff608271(WS.10).aspx
FIM ScriptBoxhttp://go.microsoft.com/fwlink/?LinkID=163230
INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDEMicrosoft Forefront Identity Manager 2010What are IPD Guides?
Guidance & best practices for infrastructure planning of Microsoft technologies
Forefront Identity Manager 2010 Guide BenefitsHelps the architect to define the project scope by quickly assessing which specific identity management functionality the business needs, and for what resources
Based on the scope, identifies the FIM infrastructure components required to achieve the project goals
Determines the sizing, placement, and fault tolerance configuration of the FIM services, portals, and databases
It’s a free download!Go to www.microsoft.com/ipd
Check out the entire IPD series for streamlined IT infrastructure planning
“At the end of the day, IT operations is really about running your business as
efficiently as you can so you have more dollars left for innovation. IPD guides help
us achieve this.” Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services
Related Content
SIA318 – Deploying FIM
SIA03-INT – Deploying FIM and Chalk Talk
SIA06-INT Identity and Access Management Solution Demos
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Request Objects
What?FIM object that records progress of request
When?First choice for diagnosticsDiagnosing failures from user actions that occurred in the past. Other techniques require repro.
Why?Records which MPRs applied to Records errors from workflow activities
Example: Can’t Reset Password
Demo: End user gets failure when resetting password after registering.Problem: The MPR granting permission to anonymous users to reset passwords is not configured.Diagnostics: Administrator inspects the request object and sees no applied policy.Solution: Administrator modifies existing MPR to grant permission to reset passwords.
MPR Explorer
What?RC1 feature that simulates request object.
When?Request object not available.Predict applied policies without making requests.
Why?Executes query to find matching policy.No change to the system since it simulates requests.
Example: Wrong Policy Applied
Demo: HR user attempts to modify title of someone in finance department.Problem: The MPR granting permission to HR user to set title is not present.Diagnostics: Administrator uses MPR Explorer and notes that no MPR is applied as policy.Solution: Administrator creates MPR, Set, Notification Activity Workflow, and Email Template to enable policy.
SOAP Faults
What?SOAP message that indicates failure
When?Diagnosing failures with custom clients
Why?Provides info on both failures with structure and content of SOAP request.Vital for diagnosing structural problems of custom clients.
Notable SOAP Faults
Invalid RepresentationSomething is wrong with the data sent in.
Permission DeniedGeneric catch-all indicating multiple types of failures.
Authorization RequiredRequest was successfully processed, but an AuthZ workflow is running.
Health Events
What?Targeted events that indicate specific root-cause failureWritten to the Application logConsumed by Management Pack
When?To detect cross-cutting failures, independent of requests.
Why?Reported by components upon specific, known errors.
Diagnostic Events
What?“Errors” detected by service. Mostly noise, but useful to investigate one-off failures.Written to Forefront Identity Manager log for FIM Service and Application log for FIM Sync Service
When?To correlate low-level exception information with failures elsewhere.Specifically useful for seeing failures in workflows and requests.
Why?Records low-level info for all .NET exceptions.
Example: FIM MA Export Failures
Demo: Administrator flows data which violates validation and FIM MA Export FailsProblem: The source data or validation rule need to be changed so they match.Diagnostics: Administrator looks at error in Identity Manager and correlates with information in event viewer.Solution: Administrator relaxes the validation rule so the data can be exported.
Diagnostic Tracing
What?“Blunt Instrument of Last Resort”Contains much noise
When?As a last resort, usually at direction of PSSUseful for custom client failures
Why?Requires service restartNon-trivial performance degradationMicrosoft.ResourceManagement trace source.See MSDN for guide to enable.
Example: Exchange Failures
Demo: FIM does not receive incoming mail from outlook and does not send approval mail.Problem: FIM is configured to connect to exchange without SSL.Diagnostics: Administrator sees failure to connect to exchange in event viewer and diagnostic tracing.Solution: Update configuration file.